Date post: | 16-Apr-2017 |
Category: |
Technology |
Upload: | sergey-soldatov |
View: | 4,691 times |
Download: | 0 times |
BIO
• Head of SOC @Kaspersky Lab
• BMSTU graduate, CISA, CISSP
• Ex- Infosec dept. director
• Ex- Infosec admin
• Ex- software developer
• Ex- musician, sportsman
• SOC Analyst @Kaspersky Lab
• SibSAU (Krasnoyarsk) graduate
• Ex- Infosec dept. head
• Ex- Infosec admin
• Ex- System admin
Cyber threat hunting is the practice of searching iteratively through data to detect advanced threats that evade traditional security solutions
Threat hunting?
https://sqrrl.com/solutions/cyber-threat-hunting/
BUSINESS:
• Minimize residual risks
• Minimize time between attack and detection
TECH:
• Unknown [targeted] attacks detection
• Non-malware attacks detection
• TTP based detection
• “Time machine” for evidence analysis
What for?
Security
Tools
Monitoring
Hunting
Prevention
Threat
hunting
SOC
Alerting
Risks
Hunting vs. Alerting
SOC/Alerting
• Reactive
• Detect/forget
Hunting/Mining
• Proactive
• Repeated searches
TI IRAlerting
Hypotheses HuntingMA*
DF
Alerting IRTI
http://reply-to-all.blogspot.ru/2016/07/blog-post.html (RU)
* MA – malware analysis, DF – digital forensics, IR – incident response
[Big] data
• OS processes activities
• OS events
• Security tools
• Net perimeter
• …
Process/Procedure
• TI + all possible detection techniques
• Previous experience
• Situational awareness
• …
Human
• Able to produce and check hypothesis
• quick-witted
What is needed?
The Process: Theory
Level 1:“TI Farm”
Level 2:“Cases”
Objects(MD5, FQDN)
Objects behavior & IPC
(use tags from pervious level)
Tags/Labels
Suspicious objectsSuspicious systems
Raw events
Level 3:Analyst
Digital forensics (DF) Incident response (IR)
Malware analysis (MA)
IoC Feeds
AM detects
Behavior patterns
Whitelisting
Popularity
Similarity
SOC practice
Known attackers TTP (reports)
DF, IR practice
Security assessment
practice
Heuristics
Machine learning
Manual analysis
Sandbox
Scripts :)
What How More info
Process activities @endpoint
Sysinternals Sysmon https://technet.microsoft.com/en-us/sysinternals/sysmon
Autoruns Sysinternals Autorunsc https://technet.microsoft.com/ru-ru/sysinternals/bb963902.aspx
E-mail attachments MTA + Python + Yara https://github.com/Yara-Rules/rules
What’s inside?
Task How Link
Log shipping FilebeatWinlogbeat
https://www.elastic.co/products/beats/filebeat
https://www.elastic.co/products/beats/winlogbeat
Parsing, Processing, TI matching
Logstash https://www.elastic.co/products/logstashhttps://github.com/aptnotes/data
Storage Elasticsearch https://www.elastic.co/products/elasticsearch
Search & Visualization Kibana https://www.elastic.co/products/kibana
Event Class ID Rate Importance
Process Create 1 Low-Medium Detect initial infection and malware child processes.
Process Terminate
2 Low-MediumUseful for forensic investigations. May be correlated with process creation events
Driver Load 6 Low Detect device drivers loading
Image Load 7High (use with filtration)
Detect DLL injection, unsinged DLL loading
File Creation Time Changed
2Medium-High (need to exclude browsers and archivers)
Detect anti-forensic activity (timestamp changed to cover tracks)
Network Connection
3High (use with filtration)
Identify network activity, connection to malware C&C servers, connection to ransomware server to download encryption keys
CreateRemoteThread
8 Low-Medium Detect code injections used by malwareCredential theft tools (i.e. mimikatz, WCE) also use this technique to inject their code into the LSASS process
Process
accessed10
High (use with filtration)
RawAccessRead 9 Low Detect dropping off SAM or NTDS.DIT from compromised hosts
Data: sysmon events
• autorunsc – a * -ct –h –m –s –nobanner
/accepteula
• –v –vt – if VirusTotal detects matter
• Simple Powershell script compares current autorunsc result with the previous one and writes text log
Data: autorunsc
• Python script:• Get email headers• Get attachments: name, size, MD5, file type
• Check Yara from https://github.com/Yara-Rules/rules (can be any)
• If attachment is archive: check if it password protected, inflate and repeat previous• Returns JSON output, example:{"source_arch_md5": "1788A5624790B6707241E45461443757", "file_name": "x64/mimilib.dll", "subject": "Fwd: \u0421\u0447\u0435\u0442 \u043d\u0430 \u043e\u043f\u043b\u0430\u0442\u0443", "x-virus-scanned": "", "yara_matches": ["mimikatz"], "file_size": 32256, "date": "Sun, 13 Nov 2016 20:56:11 +0300", "cc": [], "MD5": "7DF94A9513983F9324C630C98B2BACCD", "from": "[email protected]", "file_type": "PE32+ executable (DLL) (console) x86-64, for MS Windows", "yara_check_date": "2016-11-13T16:46:41.788812", "user-agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101\n Thunderbird/45.4.0", "to": ["[email protected]"], "ip": ["172.16.205.139"], "message-id": "<[email protected]>", "x-mailer": "", "mime_type": "application/x-dosexec"}
Data: e-mail attachments
Data: files&URL from traffic, Dynamic analysis
• TODO:• Deploy BRO: url, file extractor
• Deploy Cuckoo sandbox
• Python script new ver.: url from e-mail
• Windows events: registry changes, file access, service install, task scheduling, power shell, ….
• Correlation engine: Exper
The Process: Practice
Autorunsc (filebeat)Sysmon (winlogbeat)
Endpoint
Python script (filebeat)Yara
MTA (Exim)
Index events
Logstash
RabbitMQ
Logstash
logstash-mail
logstash-autorunsc
logstash-windows
logstash-files
ElasticsearchUnique file aggregation
‘TI Farm’
• Excel with macros • downloads into memory and
execute sytem.ps1:• downloads meterpreter payload
into memory and run it
• Creates scheduled task “System inventory” persistence
Attacker creates excel downloader
• TH – the only effective way to counter customized threats
• TH – ‘must have’ process of security operations
• TH – can’t be fully automated
• TH – never-ending self-improving closed cycle via IR/DF/MA
• TH needs data & human-machine analysis
• TH can be done by yourself!
Outro\temp\<random1>.exe
injected Lsass.exe \syswow64\svch0st.exestarted \temp\<random1>.exe
\temp\<random2>.exe started \syswow64\svch0st.exe Exprorer.exe started
\temp\<random2>.exe
Compromised explorer.exe
powershell.exe inject into explorer.exe
Strange http to 66.66.66.66
powershell.exe started powershell.exeTeskscheduler started
powershell.exe
Powershell.exestarted schtasks.exe
Thunderbird.exe started excel.exe
started wmiprvse.exe started powershell.exe
• All configs: https://github.com/votadlos/ZN2016
Q&A
Thank you for your attention!